Section 1

Understanding the Basics

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Get Started with Compliance Fundamentals

From creating a top-notch code of conduct to understanding the role compliance plays in your organization, this is the place to learn the core elements of an effective compliance program.

MoreHide Arrow Down Icon Icon of solid caret pointing downwards.

Each compliance program is unique with disparate risks and various levels of maturity. Although there are a number of nuances determined by your company’s size, industry and location, there are still basic principles that are best practices across the board. In this section you’ll learn about the key skills every compliance professional should have as well as the general knowledge base effective compliance professional have and harness throughout their careers.

Just as there are key skills every modern compliance professional should possess, there are fundamental elements every effective compliance program should practice. This section will introduce you to those key components of a robust compliance program and provide the guidance you need to move your career and program to its next level of sophistication. 

The Ultimate List of Compliance Program Statistics

Looking for stats and trends to include in your next board presentation?
We've got you covered.

Anti-Fraud Controls

Organizations that used proactive data monitoring had 54% lower loss and halved the time to detect the fraud.  Similarly, management review and whistleblower hotlines also reduced the losses by 50% and decreased the detection time by 50%.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The most common anti-fraud controls implemented by organizations include an external audit of financial statements (81.7%), code of conduct (81.7%) and an internal audit department (73.7%). 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In more than 88% of background checks conducted, no prior misconduct or redflags were discovered since perpetrators are often first-time offenders. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)
 


Weak implementation of anti-fraud controls, such as lack of internal controls (29%), overriding of existing internal controls (20%), and lack of management review (19%), often contribute to fraud.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

Bribery and Corruption

Corruption schemes were often due to a lack of internal controls (29.3%) and overriding of existing internal controls (20.3%). 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In a 2013 national survey, 2% of employees witnessed a colleague offering a bribe to a public official. 

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)


Almost 20% of employees observe bribery and corruption related misconduct. 

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


Bribery and corruption related misconducted is more likely to be observed at multinational companies (19%) and supplier companies (20%).

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


In the private sector, 75% of bribery cases involve management.

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


Corruption cases cost a median loss of $200,000 and occurred 35.4% of the time. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

Chief Compliance Officers (CCO)

More than 90% of CCOs report their Board or a committee of the Board is adequately informed of compliance risks and mitigation efforts. The group meets annually to review and approve the compliance program.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

36% of CCOs do not know, or disagree, that their lines of business management take ownership of the compliance culture and agenda. Only 15% of CCOs strongly agree with this statement, indicating that for many organizations room exists for growth.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

31% of CCOs do not know, or do not communicate, conduct and culture lessons across their organizations. Further, 29% of CCOs have not documented, or do not know if they have, formalized compliance roles and responsibilities for their staff—it is foundational for employees to understand the importance of compliance and their role within the compliance structure.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

While CCOs report that they address compliance infractions in a timely manner and with appropriate disciplinary actions, almost 4 in 10 CCOs (39%) do not consider (or do not know if their organization considers) employee adherence to compliance policies and procedures as a factor in performance ratings and compensation decisions.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 29% of organizations report that they assess compliance proficiencies and skills of their staff on an ongoing basis.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

At least 94% of organizations report that compliance requirements are embedded within their policies and procedures and separately also within their code of conduct, which is accessible to all employees.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 27% of CCOs strongly agree that the compliance function has a change management process in place to identify and incorporate changes in laws and regulations and to incorporate such changes into their policies and procedures.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

While 84% of CCOs report having a compliance risk assessment process that leverages qualitative and quantitative measurements, 32% do not agree or do not know if their business unit, operations, and IT management are involved in assessing compliance risk within their units. In addition, roughly one-third of CCOs do not (or do not know if they) conduct reassessments of their risk profiles upon business changes.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 69% of CCOs say their organization leverages technology to support its compliance initiatives, while less than half—just 47%—say they use data analytics and other technology processes to conduct root cause and trending analysis.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

33% of CCOs report they do not have, or do not know if their compliance testing program includes transactional, process, and controls testing, and only 27% of CCOs strongly agree that they monitor and track for regulatory changes.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

84% of organizations provide reports on the enterprise-wide state of compliance including culture, conduct, governance, and key issues. Yet, only 47% of CCOs say their organization has an enterprise-wide reporting system that is integrated with compliance monitoring and across functions and business units.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Slightly more than half of organizations have a compliance monitoring process to confirm that third-party vendors adhere to compliance due diligence processes, and just 31% manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring KRIs/KPIs.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Compliance Program Effectiveness

In a 2015 survey, 30% of compliance professionals in the United States do not measure the effectiveness of their compliance programs.

(Deloitte. (2015). In Focus: 2015 Compliance Trends Survey. Retrieved 12 January, 2017)

 

Similarly, in a 2016 survey, 44% of organizations do not measure the effectiveness of their policy management program.

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Almost two-thirds of organizations (63%) believe that their policy management program helps reduce the legal cost and resolution time of regulatory issues and fines. 

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Corporate Fraud

Corporate fraud caused losses of $1 million or more in 23% of cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

8.4% of organizations victimized by fraud were fined as a result of the fraud. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The most common form of fraud was asset appropriation (> 83%) costing a median loss of $125,000.  Meanwhile, financial statement fraud occurred in less than 10% of cases but cost a median loss of $975,000. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The accounting department is responsible for more occupational frauds than any other business unit (16.6%).  Individuals from accounting, operations, sales, executive/upper management, customer service, purchasing and finance committed three-fourths of all frauds analyzed in the study(Association of Certified Fraud Examiners.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The median loss per fraudulent case when committed by an owner/executive was $703,000.  By contrast, when the fraud is committed by a manager or employee, the median loss was much less, at $1730,00 and $65,000 respectively. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The perpetrator attempted to conceal the fraud in 94.5% of the cases studied.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In a 2013 national survey, 3% of employees were aware of financial reports that contained misleading information.  

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)

 

Cyber Security

The average time to discover a data breach takes 201 days and the mean time to contain a breach is 70 days.  Companies that discover a data breach within the first 100 days spend about $1 million less on average than those that discover later on. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

60% of 200 security leaders surveyed indicated that their organizations were victims of at least one social engineering attack in the past year.  Employees’ credentials were compromised in 65% of the cases. 

(Barker, I. (2016). 60 percent of enterprises have fallen victim to social engineering in 2016. Retrieved 17 January, 2017)

 

A hacker used social engineering to obtain information on 20,000 FBI agents and 9,000 Department of Homeland Security officials.

(Hackett, R. (2016). Hacker Leaks 29,000 FBI Agents and DHS Staffers' Info | Fortunecom. Retrieved 17 January, 2017)

 

In 2011, EMC spent $66 million to recover from a cyber-attack that began with an employee opening an attached excel file labeled ‘2011 Recruitment Plan’. 

(Peters, S. (2015). The 7 Best Social Engineering Attacks Ever. Retrieved 17 January, 2017)

 

Phishing via links in emails represents 88% of all reported phishing.

(Social-engineering. (2014). The Social Engineering Infographic - Security Through Education. Retrieved 17 January, 2017)

 

Cyber Security (Response Plans)

Having an incident response team can lower the cost by $16 per stolen record.  Other measures, such as use of encryption ($13 saved per stolen record), employee training ($9), threat sharing ($9), and appointing a chief information security officer ($7) can also lower the cost per stolen record. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

An annual preparedness study found that 81% of organizations have a data breach response plan in place. 

(Ponemon institute. (2015). Third Annual Study: Is Your Company Ready for a Big Data Breach?. Retrieved 17 January, 2017)
 


37% of companies that participated in the study do not have procedures in place for data breaches that occur overseas. 

(Ponemon institute. (2015). 2015 Cost of Data Breach Study: Impact of Business Continuity Management. Retrieved 17 January, 2017)
 


Only 25% of companies in the annual preparedness study update data breach response plans once or twice a year. 

(Bruemmer, M. (2016). Top 5 Fails from Companies Preparing for and Responding to a Data Breach. Retrieved 17 January, 2017)
 


25% of companies that participated in the study have not reviewed the incident response plans of their 3rd party partners. 

(Ponemon institute. (2015). 2015 Cost of Data Breach Study: Impact of Business Continuity Management. Retrieved 17 January, 2017)

 

Cyber Security (Social Engineering Attacks and Human Error)

According to research conducted between January 2015 and July 2016, office-themed email phishing simulations have the highest rates of success, at 20%.

(Seals, T. (2016). Office-Themed Phishes Have 20% Success Rate - Infosecurity Magazine. Retrieved 17 January, 2017)


Malicious or criminal attacks were responsible for 48% of all breaches in the 2016 study.  The average cost to resolve a malicious attack was $170 per record.  Other reasons, such as system glitches or human errors cost $133 per record. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

Governance, Risk, and Compliance (GRC) technology

Among organizations currently using or considering GRC technology solutions, nearly two thirds (61%) expect to spend more money on enterprise GRC platforms in the next three years.

(OCEG. (2016). 2016 GRC Technology Strategy Survey Report. Retrieved 12 January, 2017)

 

Harassment (US)

In a 2014 national survey, 27% of American workers (37 million) indicated that they have been the victim of abusive conduct at work.

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)

 

56% of bullies are people in positions of authority. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


Less than 20% of American employers take actions to stop workplace bullying. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


To escape bullying, 48% of the bullied targets quit their jobs.  Additionally, 13% of targets are fired from their jobs. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


 

Pace of Regulatory Change

Keeping policies current with changing regulations is the number one challenge for 47% of organizations.  Related, it was also noted that training employees (40%) and managing policy version control (32%) constituted significant challenges. 

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

In 2012, 40% of senior risk executives working for large organizations were very or extremely concerned about their existing risk system’s ability to adapt to forthcoming regulatory requirements. 44% of respondents from mid-size organizations and 12% from smaller institutions shared similar strong concerns.

(Deloitte. (2014). Governance, Risk and Compliance (GRC) software - Business needs and market trends. Retrieved 12 January, 2017)

 

Regulatory Impacts

In the past three years, 44% of organizations have faced “legal or external regulatory actions where a policy came under review as part of the action or defense”.

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Resourcing & Budgets

In a 2016 survey of risk management employers, two thirds (68%) feel that their compliance department is “insufficiently resourced for the demands made on it”, representing an increase from 55% in 2015.

(Barclay Simpson. (2016). Corporate Governance Recruitment Market Report 2016 - Compliance. Retrieved 12 January, 2017)

 

In a 2016 survey, 47% of surveyed internal auditors feel that their internal audit department is “sufficiently resourced for the demands that are made on it”.

(Barclay Simpson. (2016). Corporate Governance Recruitment Market Report 2016 - Internal Audit. Retrieved 12 January, 2017) 
 

Almost a quarter of organizations have a third-party risk management budget of less than $50,000.

(Stephens, R. (2016). 2016 Ethics & Compliance Third Party Risk Management Benchmark Report. Retrieved 18 January, 2017)

 

Around half (51%) of financial service firms globally have a senior manager responsible for conduct risk. There is a degree of regional variation, with respondents in Australasia reporting that only 28% of firms have a senior manager for conduct risk.

(Thomson Reuters. (2016). Conduct Risk Report 2015/16. Retrieved 12 January, 2017)

 

Retaliation (Global)

Approximately one third (median value 36%) of whistleblowers experience retaliation across 13 countries surveyed. 

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)

 

Retaliation (US)

34% of American workers do not speak up about misconduct due to fear of retaliation from senior leadership.  Additionally, 30% were concerned about payback from a supervisor and 24% were worried about their co-workers retaliating. 

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)

 

Training

During a two to three year cycle, organizations will provide training on an average of 12 topical areas.  The top three topics most likely to be covered by training programs within the next two to three years include code of conduct (93%), conflict of interest (76%), cybersecurity (69%). 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Only 12% of organizations have an advanced compliance and ethics training program.  Nearly 40% of organizations rate their programs as basic or reactive. 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

More than one half (51%) of respondents have implemented some form of training on conduct risk. More than one-third of firms (37%) have not done so, but feel they need to.

(Thomson Reuters. (2016). Conduct Risk Report 2015/16. Retrieved 12 January, 2017)

 

23% of companies do not have a formal compliance training plan in place. 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Only 13% of Boards are given training on cybersecurity.  

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Whistleblowing

Organizations with reporting hotlines detected fraud through tips 47.3% of the time whereas organizations without hotlines only detected 28.2% of fraudulent cases through tips. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


In organizations that have a formal reporting structure, telephone hotlines were the most common method to report a tip (39.5%).  However, all forms of online reporting (such as email (34.1%) and web-based or online form (23.5%)) combine to make the Internet a more popular reporting method.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


Whistleblowers report fraud to their direct supervisors 20.6% of the time and company executives 18% of the time in the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


However, it should be noted that the Ethics Resource Center reports 56% of initial complaints are made to direct supervisors. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)

 

The time it takes to close a case is increasing year over year.  The case closure time in 2011 was a median of 32 days vs. a median of 46 days in 2015.  

(Penman, C. & O’Mara, E. (2016). 2016 Ethics and Compliance Hotline Benchmark Report. Retrieved 18 January, 2017)

 

Over a six year span, the number of tips that are determined to have merit has increased from 30% in 2010 to 41% in 2015.

(Penman, C. & O’Mara, E. (2016). 2016 Ethics and Compliance Hotline Benchmark Report. Retrieved 18 January, 2017)

 

According to the Ethics Resource Center 91% of whistleblower tips are first reported internally.  If not addressed properly, 84% of those go on to report the misconduct externally. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)


Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

According to the Ethics Resource Center 91% of whistleblower tips are first reported internally.  If not addressed properly, 84% of those go on to report the misconduct externally. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)


Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

Looking for stats and trends to include in your next board presentation?
We've got you covered.

Anti-Fraud Controls

Organizations that used proactive data monitoring had 54% lower loss and halved the time to detect the fraud.  Similarly, management review and whistleblower hotlines also reduced the losses by 50% and decreased the detection time by 50%.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The most common anti-fraud controls implemented by organizations include an external audit of financial statements (81.7%), code of conduct (81.7%) and an internal audit department (73.7%). 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In more than 88% of background checks conducted, no prior misconduct or redflags were discovered since perpetrators are often first-time offenders. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)
 


Weak implementation of anti-fraud controls, such as lack of internal controls (29%), overriding of existing internal controls (20%), and lack of management review (19%), often contribute to fraud.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

Bribery and Corruption

Corruption schemes were often due to a lack of internal controls (29.3%) and overriding of existing internal controls (20.3%). 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In a 2013 national survey, 2% of employees witnessed a colleague offering a bribe to a public official. 

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)


Almost 20% of employees observe bribery and corruption related misconduct. 

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


Bribery and corruption related misconducted is more likely to be observed at multinational companies (19%) and supplier companies (20%).

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


In the private sector, 75% of bribery cases involve management.

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)


Corruption cases cost a median loss of $200,000 and occurred 35.4% of the time. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

Chief Compliance Officers (CCO)

More than 90% of CCOs report their Board or a committee of the Board is adequately informed of compliance risks and mitigation efforts. The group meets annually to review and approve the compliance program.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

36% of CCOs do not know, or disagree, that their lines of business management take ownership of the compliance culture and agenda. Only 15% of CCOs strongly agree with this statement, indicating that for many organizations room exists for growth.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

31% of CCOs do not know, or do not communicate, conduct and culture lessons across their organizations. Further, 29% of CCOs have not documented, or do not know if they have, formalized compliance roles and responsibilities for their staff—it is foundational for employees to understand the importance of compliance and their role within the compliance structure.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

While CCOs report that they address compliance infractions in a timely manner and with appropriate disciplinary actions, almost 4 in 10 CCOs (39%) do not consider (or do not know if their organization considers) employee adherence to compliance policies and procedures as a factor in performance ratings and compensation decisions.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 29% of organizations report that they assess compliance proficiencies and skills of their staff on an ongoing basis.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

At least 94% of organizations report that compliance requirements are embedded within their policies and procedures and separately also within their code of conduct, which is accessible to all employees.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 27% of CCOs strongly agree that the compliance function has a change management process in place to identify and incorporate changes in laws and regulations and to incorporate such changes into their policies and procedures.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

While 84% of CCOs report having a compliance risk assessment process that leverages qualitative and quantitative measurements, 32% do not agree or do not know if their business unit, operations, and IT management are involved in assessing compliance risk within their units. In addition, roughly one-third of CCOs do not (or do not know if they) conduct reassessments of their risk profiles upon business changes.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Only 69% of CCOs say their organization leverages technology to support its compliance initiatives, while less than half—just 47%—say they use data analytics and other technology processes to conduct root cause and trending analysis.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

33% of CCOs report they do not have, or do not know if their compliance testing program includes transactional, process, and controls testing, and only 27% of CCOs strongly agree that they monitor and track for regulatory changes.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

84% of organizations provide reports on the enterprise-wide state of compliance including culture, conduct, governance, and key issues. Yet, only 47% of CCOs say their organization has an enterprise-wide reporting system that is integrated with compliance monitoring and across functions and business units.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Slightly more than half of organizations have a compliance monitoring process to confirm that third-party vendors adhere to compliance due diligence processes, and just 31% manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring KRIs/KPIs.

(Stryker, Nicole. "The Compliance Journey: Boosting the Value of Compliance in a Changing Regulatory Climate." KPMG. Ed. Karen Staines. KPMG LLP, 2017. Web. 13 July 2017)

 

Compliance Program Effectiveness

In a 2015 survey, 30% of compliance professionals in the United States do not measure the effectiveness of their compliance programs.

(Deloitte. (2015). In Focus: 2015 Compliance Trends Survey. Retrieved 12 January, 2017)

 

Similarly, in a 2016 survey, 44% of organizations do not measure the effectiveness of their policy management program.

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Almost two-thirds of organizations (63%) believe that their policy management program helps reduce the legal cost and resolution time of regulatory issues and fines. 

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Corporate Fraud

Corporate fraud caused losses of $1 million or more in 23% of cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

8.4% of organizations victimized by fraud were fined as a result of the fraud. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The most common form of fraud was asset appropriation (> 83%) costing a median loss of $125,000.  Meanwhile, financial statement fraud occurred in less than 10% of cases but cost a median loss of $975,000. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The accounting department is responsible for more occupational frauds than any other business unit (16.6%).  Individuals from accounting, operations, sales, executive/upper management, customer service, purchasing and finance committed three-fourths of all frauds analyzed in the study(Association of Certified Fraud Examiners.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The median loss per fraudulent case when committed by an owner/executive was $703,000.  By contrast, when the fraud is committed by a manager or employee, the median loss was much less, at $1730,00 and $65,000 respectively. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

The perpetrator attempted to conceal the fraud in 94.5% of the cases studied.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

In a 2013 national survey, 3% of employees were aware of financial reports that contained misleading information.  

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)

 

Cyber Security

The average time to discover a data breach takes 201 days and the mean time to contain a breach is 70 days.  Companies that discover a data breach within the first 100 days spend about $1 million less on average than those that discover later on. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

60% of 200 security leaders surveyed indicated that their organizations were victims of at least one social engineering attack in the past year.  Employees’ credentials were compromised in 65% of the cases. 

(Barker, I. (2016). 60 percent of enterprises have fallen victim to social engineering in 2016. Retrieved 17 January, 2017)

 

A hacker used social engineering to obtain information on 20,000 FBI agents and 9,000 Department of Homeland Security officials.

(Hackett, R. (2016). Hacker Leaks 29,000 FBI Agents and DHS Staffers' Info | Fortunecom. Retrieved 17 January, 2017)

 

In 2011, EMC spent $66 million to recover from a cyber-attack that began with an employee opening an attached excel file labeled ‘2011 Recruitment Plan’. 

(Peters, S. (2015). The 7 Best Social Engineering Attacks Ever. Retrieved 17 January, 2017)

 

Phishing via links in emails represents 88% of all reported phishing.

(Social-engineering. (2014). The Social Engineering Infographic - Security Through Education. Retrieved 17 January, 2017)

 

Cyber Security (Response Plans)

Having an incident response team can lower the cost by $16 per stolen record.  Other measures, such as use of encryption ($13 saved per stolen record), employee training ($9), threat sharing ($9), and appointing a chief information security officer ($7) can also lower the cost per stolen record. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

An annual preparedness study found that 81% of organizations have a data breach response plan in place. 

(Ponemon institute. (2015). Third Annual Study: Is Your Company Ready for a Big Data Breach?. Retrieved 17 January, 2017)
 


37% of companies that participated in the study do not have procedures in place for data breaches that occur overseas. 

(Ponemon institute. (2015). 2015 Cost of Data Breach Study: Impact of Business Continuity Management. Retrieved 17 January, 2017)
 


Only 25% of companies in the annual preparedness study update data breach response plans once or twice a year. 

(Bruemmer, M. (2016). Top 5 Fails from Companies Preparing for and Responding to a Data Breach. Retrieved 17 January, 2017)
 


25% of companies that participated in the study have not reviewed the incident response plans of their 3rd party partners. 

(Ponemon institute. (2015). 2015 Cost of Data Breach Study: Impact of Business Continuity Management. Retrieved 17 January, 2017)

 

Cyber Security (Social Engineering Attacks and Human Error)

According to research conducted between January 2015 and July 2016, office-themed email phishing simulations have the highest rates of success, at 20%.

(Seals, T. (2016). Office-Themed Phishes Have 20% Success Rate - Infosecurity Magazine. Retrieved 17 January, 2017)


Malicious or criminal attacks were responsible for 48% of all breaches in the 2016 study.  The average cost to resolve a malicious attack was $170 per record.  Other reasons, such as system glitches or human errors cost $133 per record. 

(Ponemon Institute LLC. (2016). 2016 Cost of Data Breach Study: Global Analysis. Retrieved 13. January, 2017)

 

Governance, Risk, and Compliance (GRC) technology

Among organizations currently using or considering GRC technology solutions, nearly two thirds (61%) expect to spend more money on enterprise GRC platforms in the next three years.

(OCEG. (2016). 2016 GRC Technology Strategy Survey Report. Retrieved 12 January, 2017)

 

Harassment (US)

In a 2014 national survey, 27% of American workers (37 million) indicated that they have been the victim of abusive conduct at work.

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)

 

56% of bullies are people in positions of authority. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


Less than 20% of American employers take actions to stop workplace bullying. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


To escape bullying, 48% of the bullied targets quit their jobs.  Additionally, 13% of targets are fired from their jobs. 

(Workplace Bullying Institute. (2014). WBI 2014 US Workplace Bullying Survey | Workplace Bullying Institute. Retrieved 13 January, 2017)


 

Pace of Regulatory Change

Keeping policies current with changing regulations is the number one challenge for 47% of organizations.  Related, it was also noted that training employees (40%) and managing policy version control (32%) constituted significant challenges. 

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

In 2012, 40% of senior risk executives working for large organizations were very or extremely concerned about their existing risk system’s ability to adapt to forthcoming regulatory requirements. 44% of respondents from mid-size organizations and 12% from smaller institutions shared similar strong concerns.

(Deloitte. (2014). Governance, Risk and Compliance (GRC) software - Business needs and market trends. Retrieved 12 January, 2017)

 

Regulatory Impacts

In the past three years, 44% of organizations have faced “legal or external regulatory actions where a policy came under review as part of the action or defense”.

(Penman, C. & Stephens, R. (2016). 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017)

 

Resourcing & Budgets

In a 2016 survey of risk management employers, two thirds (68%) feel that their compliance department is “insufficiently resourced for the demands made on it”, representing an increase from 55% in 2015.

(Barclay Simpson. (2016). Corporate Governance Recruitment Market Report 2016 - Compliance. Retrieved 12 January, 2017)

 

In a 2016 survey, 47% of surveyed internal auditors feel that their internal audit department is “sufficiently resourced for the demands that are made on it”.

(Barclay Simpson. (2016). Corporate Governance Recruitment Market Report 2016 - Internal Audit. Retrieved 12 January, 2017) 
 

Almost a quarter of organizations have a third-party risk management budget of less than $50,000.

(Stephens, R. (2016). 2016 Ethics & Compliance Third Party Risk Management Benchmark Report. Retrieved 18 January, 2017)

 

Around half (51%) of financial service firms globally have a senior manager responsible for conduct risk. There is a degree of regional variation, with respondents in Australasia reporting that only 28% of firms have a senior manager for conduct risk.

(Thomson Reuters. (2016). Conduct Risk Report 2015/16. Retrieved 12 January, 2017)

 

Retaliation (Global)

Approximately one third (median value 36%) of whistleblowers experience retaliation across 13 countries surveyed. 

(Ethics and compliance initiative. (2016). Global Business Ethics Survey. Retrieved 17 January, 2017)

 

Retaliation (US)

34% of American workers do not speak up about misconduct due to fear of retaliation from senior leadership.  Additionally, 30% were concerned about payback from a supervisor and 24% were worried about their co-workers retaliating. 

(Ethics and compliance initiative. (2014). National Business Ethics Survey® (NBES®) 2013. Retrieved 17 January, 2017)

 

Training

During a two to three year cycle, organizations will provide training on an average of 12 topical areas.  The top three topics most likely to be covered by training programs within the next two to three years include code of conduct (93%), conflict of interest (76%), cybersecurity (69%). 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Only 12% of organizations have an advanced compliance and ethics training program.  Nearly 40% of organizations rate their programs as basic or reactive. 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

More than one half (51%) of respondents have implemented some form of training on conduct risk. More than one-third of firms (37%) have not done so, but feel they need to.

(Thomson Reuters. (2016). Conduct Risk Report 2015/16. Retrieved 12 January, 2017)

 

23% of companies do not have a formal compliance training plan in place. 

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Only 13% of Boards are given training on cybersecurity.  

(Freedeen, I. (2016). 2016 Ethics and Compliance Training Benchmark Report. Retrieved 17 January, 2017)

 

Whistleblowing

Organizations with reporting hotlines detected fraud through tips 47.3% of the time whereas organizations without hotlines only detected 28.2% of fraudulent cases through tips. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


In organizations that have a formal reporting structure, telephone hotlines were the most common method to report a tip (39.5%).  However, all forms of online reporting (such as email (34.1%) and web-based or online form (23.5%)) combine to make the Internet a more popular reporting method.

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


Whistleblowers report fraud to their direct supervisors 20.6% of the time and company executives 18% of the time in the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)


However, it should be noted that the Ethics Resource Center reports 56% of initial complaints are made to direct supervisors. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)

 

The time it takes to close a case is increasing year over year.  The case closure time in 2011 was a median of 32 days vs. a median of 46 days in 2015.  

(Penman, C. & O’Mara, E. (2016). 2016 Ethics and Compliance Hotline Benchmark Report. Retrieved 18 January, 2017)

 

Over a six year span, the number of tips that are determined to have merit has increased from 30% in 2010 to 41% in 2015.

(Penman, C. & O’Mara, E. (2016). 2016 Ethics and Compliance Hotline Benchmark Report. Retrieved 18 January, 2017)

 

According to the Ethics Resource Center 91% of whistleblower tips are first reported internally.  If not addressed properly, 84% of those go on to report the misconduct externally. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)


Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

 

According to the Ethics Resource Center 91% of whistleblower tips are first reported internally.  If not addressed properly, 84% of those go on to report the misconduct externally. 

(Keating, G., & Kruzer, L. (2017). Effective Employee Training Increasingly Important Amid Increased Whistleblower Liability and Damage Awards. Retrieved 17 January, 2017)


Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied. 

(Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017)

Comments

Lock Icon Icon of the outline of a padlock. Write your reply...

This is good stuff. First time I have seen stats on compliance. I can use this as a baseline.

0 Responses
Dec. 18, 2018, 4:02 a.m. Paul Bertino Paul Bertino

Advanced understanding of ethics through more intensive training elevates the workplace and replaces reaction with supportive behavior.

0 Responses
March 28, 2017, 9:48 a.m. Nancy Pyle Nancy Pyle

Whether an entry level employee or top executive, the Compliance statistics list is a MUST READ. As an employee, share these astounding statistics with your employer so the organization knows the importance of a Compliance Program. As a top executive, realize your organization will be affected by one of more of these things eventually. Study these statistics and get something in place to protect the employees and your organization.

0 Responses
March 28, 2017, 9:18 a.m. Stephanie Dixon Stephanie Dixon

I love this list of statistics. Companies believe that it will never happen to them. With whistleblowing on the rise, and almost 30% of the workforce stating that they have been the victim of harassment - it can, and quite likely happen to anyone. Give your employees a voice, and a way to speak up without fear of harassment or retaliation. People first.

0 Responses
March 28, 2017, 8:54 a.m. Andrea Ihara Andrea Ihara

Never thought I could find such a comprehensive list in one area! This website is phenomenal, and a great resource for all compliance materials.

0 Responses
March 28, 2017, 8:47 a.m. Marinela Prifti Marinela Prifti